Re: Strange masq/port-forwarding problem
On Sun, 21 Feb 1999 13:35:05 -0500, Mark W. Eichin wrote:
>> I am redirecting TCP ports "ftp" and "ftp-data" of my firewall host to an
>
>If you're just na vely redirecting them, you have missed an important
>aspect of the ftp protocol - namely that unless you're using passive
>(PASV) mode, data connections are made by the client telling the
>server what address to connect to, in the ftp command stream (PORT).
You're right. I'm quite familiar with the FTP protocol specs (because I
implemented a nearly-FTP-compliant server in Java a while ago,) I forgot about
the fact that the direction is "reversed" in "active" mode (compared to PASV,
as you mentioned.)
>In order to redirect ftp, you must rewrite the command stream as well,
>or force the client to use PASV mode (which most web browsers do, by
>default.)
Do you happen to know whether anyone has already done that? I absolutely NEED
that feature. The NAT I currently use under NT properly handles incoming FTP
connections (Nevod's NAT1000.)
>As for connections hanging with large data -- if you're filtering
>ICMP, you may be filtering out ICMP_FRAG_NEEDED, which is important if
No. As I said I disabled ALL DENY rules and set the default policy to ACCEPT --
to no avail.
>you have weird MTU's and anyone is doing Path MTU discovery (and just
>about everyone is these days.) If that isn't it, well, learn to use
>tcpdump and see what *is* happenning with one of those connections...
Sh*t. I've always wanted to learn about it, but it needs quite a lot of
practice (and time!) to understand tcpdump output, and much time is what I
don't have at the moment. :-(
Thanks for your comments.
Ralf
--
Ralf G. R. Bergs * Welkenrather Str. 100/102 * 52074 Aachen * Germany
+49-241-876892, +49-241-877776 (fax) * rabe@rwth-aachen.de * PGP ok!
Reply to: